Hi, I been trying to find a way to protect my network from my own customers, I will try to explain myself. Like a week ago one of my customers connected a router to the network and instead of conecting it to the wan port he connected it to one of the ethernet ports and it was assigning ip adress, it was easy to discover but meanwhile it afceted some other customers.
The first example was easy to fix but I had another client that had a virus that killed his network and somehow managed to mess up with my whole netwok, it made the conections to drop, the network was very slow, some pages didn’t open, and all this was made by a single computer, I was able to discover this when I restarted the router and all the clients started to login and everything was fine until this client conected and the internet started to fail. I wen’t with this customer and every time I connceted his machine to the network it started to fail. I took me like 15 days to find out what was happening and I need a way to prevent this from happening again.
I just use Mikrotik for client authentification and load balance, for the wireles part I’m using Skypilot.
well, I think, that virus was using some kind of ARP Spoofing for redirecting traffic to the infected machine. it’s poisoning of one client by another client, without router’s participation. so your switches should have some security functions. on RouterOS side you may just use static ARP Table (or read-only one, with ‘Add ARP for Leases’ DHCP Server option)
Hi, thank you very much for your time. I don’t find where can I set ARP for read only, can you please tell how to do it? I had to disable the add ARP for leases in the DHCP because it was stopping my clients from authenticating in the hotspot. Also can you suggest a switch that can protect my network from this?
To prevent arp attacks on your network try ARPon website:http://arpon.sourceforge.net/,
otherwise you have to buy cisco catalyst at least 4500 series with these kind of protections.
What you want is a Cisco 3550 or better…so a 3550, 3560, 3750, 6500 with sup 32 or better. 3550 48 port switch is $310. You want to use port security(limits macs per port/prevents mac table overruning/dhcp starvation), dhcp snooping(prevents rogue DHCP/build DHCP snooping binding table) and dynamic arp inspection(prevents man-in-the-middle attacks). Allll of this protection for $320 is pretty remarkable.
3550 won’t go 100%, it will err-disable the port(shut it down). You can then set a recovery timer on ports that are err-disabled, so the port will move back to forwarding traffic after a given interval. 3550s are the cheapest option in the Cisco line to take care of these issues.
Here’s an article on configuring your equipment. It also explains the issues more in depth. http://gregsowell.com/?p=1133